Our client is a leading UK law firm with a large percentage of clients in the Insurance sector.
A key business driver for the firm is to ensure it can evidence compliance with the GDPR legislation by March 2018.
As a leading advisory firm our client places a high value on protection of its reputation within the legal sector and amongst its clients.
Insurance clients are also driven by the rigours of the FCA regime which even prior to GDPR was pushing members to evidence greater due diligence of controls in their supplier management practice.
Our client's business processes require that it is frequently responding to information security controls due diligence from Insurers – either as part of a new bid or ongoing supplier management.
Increasingly the questionnaires required evidence that our client is responding to prevailing financial services regulation and legislation.
With this business background and a shortage of available specialist resources our client engaged TORI to assist deliver of the firms GDPR compliance project.
What we did
The engagement has been separated into two phases of Readiness Assessment followed by Remediation and Compliance.
Readiness Assessment requires that TORI subject matter experts from our Risk & Control and Technology Infrastructure teams collaborate with peers on the client side
10 work streams were established to perform a gap analysis between the current and target compliance state. The work streams are fully aligned to the guidelines of the GDPR legislation and the UK Information Commissioners Office (ICO):
Leadership, culture and governance
GDPR project structure, due diligence and controls
Scope of the compliance (legal entities and cross border)
Risk management
Roles and responsibilities
Data Protection Office
Process Information Management systems
Process and applications analysis
Information Security Management systems
Rights of the data subjects
A compliance tool was developed by TORI to act as both a project dashboard and evidence of the due diligence and rigour in the project
The current state assessment required TORI to collect data from multiple sources including flowcharts, data maps, structured interviews, contracts, applications interrogation, audit reports and policy/procedures
At every stage the client interaction was fully inclusive and collaboration ensuring the our client has full ownership of the project supported by TORI subject matter expertise
The result
Full GDPR compliance status is required by April 2018 and our client will achieve that
The Readiness Assessment phase will complete during August 2018
The phase report will:
Confirm the scale of the remediation gap
Compile a detailed remediation plan with timescales, roles and costs
The prioritisation of the plan is driven by a full risk assessment approach
Ensure that controls are in place to ensure the management of the evidence based due diligence is embedded into firms day to day business operations
Remediation activities are to be prioritised with factors such as the firms risk appetite and the prevailing compliance guidelines from the ICO